11-15-2017 10:46 AM - edited 03-01-2019 06:15 PM
This question is similar to the one here: https://supportforums.cisco.com/t5/network-management/help-with-tcl-scripts-to-do-show-commands/td-p/1731560
I have a Cisco access point that runs IOS. It currently broadcasts an SSID which supports AES or TKIP encryption ciphers. I'd like to find out whether or not we have any clients that are using the older TKIP so that we can decide if we should switch to AES.
My first thought was to use TCL to write the output of "show dot11 associations all-client | include Name|Encryption" to the flash with a file name of the system time (so that data isn't overwritten and lost), and EEM would trigger the TCL script whenever a wireless client associated to the access point.
I have a Cisco 1252AG access point running 15.2(2)JA1, and it doesn't look like it support EEM (the "event" command isn't available). Does anyone have any ideas on how to automate this work? I'd be open to also doing a "pull" - which means running the script from a workstation and polling the access point every minute, but the downside is that we might miss clients that are associated to the access point for less than one minute.
11-15-2017 08:17 PM
11-16-2017 12:30 AM - edited 11-16-2017 12:31 AM
Yep, my one and only AP is autonomous. I think I could use SNMP. Here are the possible values for cDot11ClientUnicastCipher (1.3.6.1.4.1.9.9.273.1.2.1.1.23):
These are all the possible unicast data frame cipher
encryption type combinations currently supported on
this IEEE 802.11 client. If none of the bits is set,
the client is not performing any unicast data frame
encryption.
aesccm WPA AES CCMP encryption,
ckip Cisco Per packet key hashing,
cmic Cisco MMH MIC,
ckip|cmic Cisco Per packet key hashing and
Cisco MMH MIC,
tkip WPA Temporal Key encryption,
wep128 128-bit WEP key,
wep40 40-bit WEP key.
tkip|wep128 WPA Temporal Key and 128-bit WEP,
ckip(0), cmic(1), tkip(2), wep40(3), wep128(4), aesccm(5)
For some reason, when I issue the command "show dot11 associations all-client | include Name|Encryption", I see that all clients are using AES-CCMP, which should be a value of 5 (above).
I then saw this Cisco bug:
CSCsk44106—SNMP returns incorrect cipher values for some clients in cDot11ClientUnicastCipher when multiple ciphers are defined on an interface.
It looks like the SNMP database results can't be reliable. The actual "show" output is correct, though (see below). I'll probably try to use the Python method you brought up. I just need to grab the MAC address of the client and its encryption cipher and put them into a file. A CSV is probably fine.
Here's the format that shows up when I run the Cisco IOS show command:
HEMOGLOBIN#show dot11 associations all-client | include Name|Encryption
Address : 0000.1234.5678 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 21a0.01bc.69e3 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 99a7.9088.357a Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
11-16-2017 04:50 AM
11-16-2017 07:58 AM
Yeah, the Python help would be appreciated. I'l have time this weekend to work test the script out.
Thanks!
11-16-2017 06:30 PM
11-16-2017 07:52 PM
Hi,
I don't have any autonomous AP to test it. I tested it quickly by creating a variable with the output you gave me.
The script can run over a list of IP (multiple APs) or to only 1 IP.
To run the script, you need to follow below instructions:
It will create a csv file on same path you're standing when running that script.
To be able to run the script, you'll need to install python 2.7 (https://www.python.org/downloads/), install Paramiko (http://www.paramiko.org/installing.html) and click package (using command pip install click --> http://click.pocoo.org/6/)
When the script starts, it will ask username and password to connect to AP(s). Be careful, if you run it over multiple APs, username and password have to be the same across all APs.
Rename the script dot11association.txt to dot11association.py
11-17-2017 10:28 PM - edited 11-17-2017 10:31 PM
Thanks! Looks like we are getting somewhere.
Also FYI, I had to install netmiko (sudo pip install netmiko).
I'm getting an "IndexError: List index out of range" error when running the script.
python dot11encryption.py --iponly <IP>
Username: <USERNAME>
Password:
Getting information from device <IP>
Traceback (most recent call last):
File "dot11encryption.py", line 111, in <module>
wirelessassociation()
File "/Library/Python/2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/Library/Python/2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/Library/Python/2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Library/Python/2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "dot11encryption.py", line 86, in wirelessassociation
address = (line.split('Address : ', 1)[1]).split(' ', 1)[0]
IndexError: list index out of range
I checked the output of show dot11 associations all-client | include Name|Encryption", and there was around 50 rows of output.
11-18-2017 07:47 AM
11-18-2017 12:02 PM
Sure, here's the output. The MAC address for the wireless client is on the first line, and the cipher type for that wireless client is on the following line.
ap#show dot11 associations all-client | include Name|Encryption
Address : 000d.4bcd.6ae1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 001e.b2c4.6c82 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0080.92c9.69e3 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 00db.7088.357a Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0805.8125.cfee Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0c47.c90b.b7a8 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0c47.c912.4b02 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 38a2.8c9a.3fed Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 40b4.cdb5.0274 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 64db.431e.437d Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 64db.431e.466f Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 7070.0d85.7cf1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 7831.c1cb.a3f6 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 784f.435b.670a Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 8866.a5e4.50bc Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 9800.c6a4.cbd1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : a063.916e.cba7 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : a48d.3b70.d561 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : a88e.246c.98b8 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : b034.9578.6bd2 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : c8d3.ffff.964d Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : dc0b.3489.adcc Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : dcef.caf7.f254 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : acbc.32cd.9639 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
ap#
11-18-2017 05:04 PM
Sure, here is a part of the command output. I think there's a bug to where if I try to post something too long, it automatically deletes the post. The first line is the wireless client MAC address, and the second line is the encryption type used by the wireless client.
show dot11 associations all-client | include Name|Encryption
Address : 000d.4bcd.6ae1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 001e.b2c4.6c82 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0080.92c9.69e3 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 00db.7088.357a Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0805.8125.cfee Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0c47.c90b.b7a8 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0c47.c912.4b02 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 38a2.8c9a.3fed Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 40b4.cdb5.0274 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 64db.431e.437d Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 64db.431e.466f Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 7070.0d85.7cf1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 7831.c1cb.a3f6 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 784f.435b.670a Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 8866.a5e4.50bc Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 9800.c6a4.cbd1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : a063.916e.cba7 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : a48d.3b70.d561 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : a88e.246c.98b8 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : b034.9578.6bd2 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : c8d3.ffff.964d Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : dc0b.3489.adcc Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : dcef.caf7.f254 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : acbc.32cd.9639 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
11-18-2017 05:05 PM
Sure, here is a part of the command output. I think there's a bug to where if I try to post something too long, it automatically deletes the post. The first line is the wireless client MAC address, and the second line is the encryption type used by the wireless client.
ap#show dot11 associations all-client | include Name|Encryption
Address : 000d.4bcd.6ae1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 001e.b2c4.6c82 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
ap#
11-18-2017 08:11 PM
11-18-2017 10:03 PM
11-19-2017 09:57 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide